Hackers successfully attacked a hedge fund, trades delayed

Various reports in the blogosphere this morning say that hackers have successfully attacked
a hedge fund, delaying several trades and then stealing profitable secrets in a rare but very
direct raid on the United States financial services sector.

Hackers apparently lifted large chunks of data on complex high speed trades from the financial firm,
then sent the details to external servers using malware which implanted itself on the victim's network.

For now, the identity of the attackers is unknown, said BAE product director Paul Henninger, but the stolen
data could be immensely profitable for smaller hedge fund firms looking for a leg up into the market.

The assumption of espionage was given further weight because attackers added slight delays to
the time between the issuance and execution of the victim's trades-- a feat which would certainly lead
to the discovery of the attacks but may have provided a competing firm with a much needed trading
advantage.

Henninger said that the attacks occurred in January 2013 and was escalated to the company board. Why it
took so long for the news to become public isn't known at this time.

"This was something that was getting reviewed at the board level of this hedge fund precisely
because it was having a material impact on performance across the whole portfolio," said Henninger.

Incredibly, the attacks began with a successful by very simple spear phishing email campaign
against a staffer from where malware was deployed to gain a direct foothold in the company.

The attackers knew exactly what they were doing. Henninger didn't know if the hack was reported
to the Securities and Exchange Commission or FBI and noted that the fund would have little incentive
to do so.

Attacks against hedge funds don't often make it onto the public record. More than three years ago, Cyber
Engineering Services founder Joe Drissel tipped off one hedge fund that it was compromised after
he discovered its stolen data on a hacked server.

The unnamed company, which initially laughed off the disclosure, later disconnected its
entire enterprise network from the Web when Drissel sent its IT manager a copy of a stolen file.

Attackers had installed no less than three trojans on the victims' machines which went completely undetected
by anti-virus software.

Exactly a year ago, Edward Snowden leaked the NSA's Advanced Network Technology catalog, a
complete listing of the hardware and software tools the agency makes available to its agents for
its spying activities.

Since then, enterprising security experts are using the same extensive catalog to build
similar tools using low-cost and readily available electronics that anybody can easily get.

Led by Michael Ossmann of Great Scott Gadgets, his team examined the leaked catalog and discovered
that a number of the devices the NSA developed can be very simple to recreate.

To be sure, Ossmann was able to build a simple software-defined radio (SDR) system capable
of recording and transmitting data from a target PC using a Kickstarter project, and says that
the hardware can be bought from the market for $300 or less.

"SDR lets you engineer a radio system of any type you like really quickly so you can research
wireless security in any radio format," he added.

Ossmann said that he was also able to build two devices from the NSA's catalog using little
more than a few transistors and a two-inch length of wire as an antenna. These mimic the NSA
products Ragemaster, a plug that sits on the monitor cable of a computer and broadcasts screen
images.

And of course there's also the Surlyspawn keystroke logger, built at a small fraction (less than 5 percent)
of the cost the U.S. government gets charged for the same thing.

In a presentation at the Hack In The Box conference in Amsterdam last month, Ossmann detailed
some of his creations and the methods he and his team used to build them using off-the-shelf components.

Those devices aren't as small as the NSA's hardware, but are just as effective, he said. The
team has now set up a website, NSAPlayset.org, detailing the different spying products they
have reverse-engineered, and more details will be given out at presentations at the DEFCON
hacking conference being hosted in Las Vegas in August.

Ossmann's goal isn't to help hackers conduct their own spying operations, nor to make
it easier for the government to get low-cost surveillance hardware. While he has developed
tools for the federal government, the goal of his project is to help the security industry
understand the range of threats it should be protecting against.

"Showing how such devices exploit weaknesses in our systems means we can make them more
secure in the future," he added.

In other internet security news

It was revealed this morning that LinkedIn accounts can easily be hijacked through simple man in the
middle (MITM) attacks due to a failure to promptly patch a SSL stripping vulnerability.

The security flaw is described as a zero-day vulnerability and it allows attackers to gain
full control of a user's account after they had logged in via SSL.

Attackers could jump between the user and the service and replace the secure protocol with
HTTP allowing access to their account.

User IDs, passwords and all LinkedIn data could then be siphoned off by hackers. All users
outside of Europe and the United States who didn't tick a box to activate optional HTTPS beyond
the login screen were vulnerable to the attack, said Zimperium CEO Zuk Avraham.

"Through a relatively straightforward MITM attack that leverages an SSL stripping technique,
hackers can steal a user’s credentials and gain full control of the user’s account," Avraham said.

"We have reached out to LinkedIn six times over the last year to bring this critical security vulnerability
to their attention and have urged them to improve their network security, but more than a year after
disclosing the security hole they have yet to implement a patch for this vulnerability," he added.

"When the victim types in an email and a password, it’ll be sent over the network in an
unencrypted form that can be easily read by any attacker, even the most amateur ones," he stated.

Avraham used his companies hacking tool to demonstrate the attack against his own account. He
said accounts could be randomly accessed via the same flaw affecting LinkedIn's mobile app.

He warned that attackers could soil an organizations' reputation by breaking into their account
and changing details or sending out messages.

LinkedIn has been gradually implementing full SSL across its websites since December last year
and is testing various techniques to handle mixed content and speed up page loading under tighter
security arrangements, we are told.

But LinkedIn did provide us with the following statement about the issues raised by Zimperium--
"LinkedIn is committed to protecting the security of our members. In December 2013 we started
transitioning the LinkedIn site to default HTTPS and just last week announced that we are serving
all traffic to all users in the US and the EU by default over HTTPS. This issue does not impact the
vast majority of LinkedIn members given our ongoing global release of HTTPS by default."

In other internet security news

Thousands of Supermicro baseboard management controllers (BMCs) continue to reveal administrator
passwords in clear text after a security patch described as unsuitable was not applied by system administrators.

Overall, accessing the machines could be extremely simple for the tech savvy. Vulnerable servers
would pop during a network or Shodan scan for port 49152.

Any of the roughly 3296 exposed BMCs could easily be accessed with the hardware's factory default
password.

The world's worst access code "password" would grant full access to plenty of others. Baseboard
management controllers were an element of motherboards that were the central component of Intelligent
Platform Management Interfaces (IPMI) which provided remote access over UDP to system admins
for physical state monitoring of machines.

"This simply means that as of this this writing, there are 31,964 systems that have their passwords
available on the open market, Wikholm wrote on web host Carinet's security incident response team's
blog.

The issue wasn't noted by Tony Carothers of the SANS Internet Storm Centre which verified the flaw.

"The security vulnerability involves a plaintext password file available for download simply
by connecting to the specific port, 49152," Carothers said.

"One of our team has tested this security vulnerability, and it works very well." Admins
would need to reflash their systems with a new IPMI BIOS issued by Supermicro as a fix, but
this was not possible for some system admins, Wikholm said.

He offered an alternative work-around that he said did the trick for those unable to reflash.

The Shodan scan run by the sites proprietor John Matherly returned 9.8 million replies for HTTP
GET requests from a scattering of devices running on port 49152, many of which ran embedded Linux
platforms and broadcasted their kernel and hardware architectures.

Some 6.4 million of these were AT&T U-Verse web media boxes and did not spew critical data.

For the Supermicro controller subset, information on kernel versions could be matched against
Shodan to help identify embedded host information.

Many of the total pool ran old Linux kernel versions-- 23,380 operated on kernel 2.4.31.x,
112,883 on 2.4.30.x kernel, and 710,046 systems maintained 2.4.19.x.

The news follows a few revelations last week that 207,000 BMCs exposed to the pubic internet
could be exploited via a handful of basic configuration and protocol weaknesses.

Worse, access to the various BMCs permitted hackers to compromise the host server as well as other
BMCs within its management group which shared common passwords, the researchers said at the time.

In other internet security news

Dell said today that hackers have made a staggering US $620,000 in the Dogecoin crypto-currency system
by exploiting vulnerable Synology network attached storage (NAS) servers.

The clever attackers pulled off the largest heist of its kind so far by planting mining software
on the NAS servers to 'borrow' their computational power.

Several NAS now boast powerful multi-core CPUs that would be capable of mining such coins.

Several unpatched Synology servers were infected and continued to mine Dogecoins for the assailants,
according to Dell.

It took just two months for the attackers to accrue 500 million coins worth US $620,000, Dell
Secureworks researcher Pat Litke wrote in a blog post.

"To this date, this incident is the single most profitable, illegitimate mining operation," Litke
wrote."

"This conclusion is based in part on prior investigations and research done by Secureworks, as well
as further searching of the internet," he added.

Secureworks' analysis suggests that an experienced hacker, likely of German descent and using
the alias Folio, was behind the Dogecoin mining spree. And that he could probably as well had
mined Bitcoins instead.